Protegrity Blog

Why Brexit is irrelevant when it comes to preparing for GDPR

Author : protegrity

guy with fingers 2 The General Data Protection Regulation (GDPR) has caused many organisations powered by data to seriously rethink their data security strategy; yet more are stalling, uncertain of how the regulations apply to businesses outside of the EU, especially British companies facing the added complication of a possible exit from Europe. But due to the scope of the regulation and heavy penalties that will be applied, this approach is highly flawed and risky. Let’s look at some of the points critical to GDPR that mean UK businesses cannot afford to wait:

  1. Irrespective of European status, any British organisation processing European citizen data will feel the effects of GDPR; the Regulation is applicable to all organisations who do business in Europe “regardless of whether the processing [of personal data] itself takes place within the Union”
  2. GDPR is due to come into force on 25th May 2018; compliance is complex and the deadline is rapidly approaching.
  3. The revised definition of Personally Identifiable Information (PII) has greatly expanded the scope of privacy regulations to include “identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity,” all of which contain great analytical value; relevant stakeholders need a security strategy that protects data insight as well as privacy.

Failure to comply with certain aspects of GDPR could result in fines in excess of €20 million. Take the still prominent Talk Talk case from October 2015 as an example, their preliminary results show that pre-tax profits have more than halved compared to last year, mostly it seems due to £40-£45million of “exceptional costs” as a result of the breach. In addition they have lost around 160,000 retail customers which amounts to 3% of its customer base. Under GDPR the Information Commissioner’s Office (ICO) could have fined Talk Talk up to 4% of global turnover, adding tens of millions of pounds on top of these already significant expenses, and launched an investigation into criminal liability. That Talk Talk believed their “systems were as secure as they could be” must now seem an expensive miscalculation. Around the world senior executives urgently need to anticipate how dramatically GDPR changes the way their organisation must protect sensitive and private data, and British businesses should see the EU referendum as no reason to delay. Don’t make the monumental miscalculation other companies have made, start now to avoid the risks associated with rushing change – identify key stakeholders and their responsibilities and make a clear, coherent plan for GDPR compliance that seeks to avoid impacting processing or analysis. Act now to protect data; as one of the most valuable, competitive assets an organisation has, is it worth the risk not to?    

Subscribe Now



Subscribe Now